Category
Enablement
This research examines how Model Context Protocol (MCP) tools expand the attack surface for autonomous agents, detailing exploit vectors such as tool poisoning, orchestration injection, and rug-pull redefinitions alongside practical defense strategies.
Now available: the 2025 State of Detection Engineering at Elastic
The 2025 State of Detection Engineering at Elastic explores how we create, maintain, and assess our SIEM and EDR rulesets.
Linux Detection Engineering - The Grand Finale on Linux Persistence
By the end of this series, you'll have a robust knowledge of both common and rare Linux persistence techniques; and you'll understand how to effectively engineer detections for common and advanced adversary capabilities.
Emulating AWS S3 SSE-C Ransom for Threat Detection
In this article, we’ll explore how threat actors leverage Amazon S3’s Server-Side Encryption with Customer-Provided Keys (SSE-C) for ransom/extortion operations.
WinVisor – A hypervisor-based emulator for Windows x64 user-mode executables
WinVisor is a hypervisor-based emulator for Windows x64 user-mode executables that leverages the Windows Hypervisor Platform API to provide a virtualized environment for logging syscalls and enabling memory introspection.
Streamlining Security: Integrating Amazon Bedrock with Elastic
This article will guide you through the process of setting up the Amazon Bedrock integration and enabling Elastic's prebuilt detection rules to streamline your security operations.
Elevate Your Threat Hunting with Elastic
Elastic is releasing a threat hunting package designed to aid defenders with proactive detection queries to identify actor-agnostic intrusions.
Storm on the Horizon: Inside the AJCloud IoT Ecosystem
Wi-Fi cameras are popular due to their affordability and convenience but often have security vulnerabilities that can be exploited.
Kernel ETW is the best ETW
This research focuses on the importance of native audit logs in secure-by-design software, emphasizing the need for kernel-level ETW logging over user-mode hooks to enhance anti-tamper protections.
Elastic releases the Detection Engineering Behavior Maturity Model
Using this maturity model, security teams can make structured, measurable, and iteritive improvements to their detection engineering teams..
Linux Detection Engineering - A Sequel on Persistence Mechanisms
In this final part of this Linux persistence series, we'll continue exploring persistence mechanisms on Linux systems, focusing on more advanced techniques and how to detect them.
Linux Detection Engineering - A primer on persistence mechanisms
In this second part of the Linux Detection Engineering series, we map multiple Linux persistence mechanisms to the MITRE ATT&CK framework, explain how they work, and how to detect them.
情報窃取から端末を守る
本記事ではElastic Securityにおいて、エンドポイント保護を担っているElastic Defendに今年(バージョン8.12より)新たに追加された、キーロガーおよびキーロギング検出機能について紹介します。
Protecting your devices from information theft
In this article, we will introduce the keylogger and keylogging detection features added this year to Elastic Defend (starting from version 8.12), which is responsible for endpoint protection in Elastic Security.
Linux detection engineering with Auditd
In this article, learn more about using Auditd and Auditd Manager for detection engineering.
In-the-Wild Windows LPE 0-days: Insights & Detection Strategies
This article will evaluate detection methods for Windows local privilege escalation techniques based on dynamic behaviors analysis using Elastic Defend features.
Unlocking Power Safely: Privilege Escalation via Linux Process Capabilities
Organizations need to understand how Linux features contribute to their attack surface via privilege escalation and how to effectively monitor intrusion attempts using free and open detection capabilities.
Unveiling malware behavior trends
An analysis of a diverse dataset of Windows malware extracted from more than 100,000 samples revealing insights into the most prevalent tactics, techniques, and procedures.
Monitoring Okta threats with Elastic Security
This article guides readers through establishing an Okta threat detection lab, emphasizing the importance of securing SaaS platforms like Okta. It details creating a lab environment with the Elastic Stack, integrating SIEM solutions, and Okta.
STIXy Situations: ECSaping your threat data
Structured threat data is commonly formatted using STIX. To help get this data into Elasticsearch, we’re releasing a Python script that converts STIX to an ECS format to be ingested into your stack.
Starter guide to understanding Okta
This article delves into Okta's architecture and services, laying a solid foundation for threat research and detection engineering. Essential reading for those aiming to master threat hunting and detection in Okta environments.
Google Cloud for Cyber Data Analytics
This article explains how we conduct comprehensive cyber threat data analysis using Google Cloud, from data extraction and preprocessing to trend analysis and presentation. It emphasizes the value of BigQuery, Python, and Google Sheets - showcasing how to refine and visualize data for insightful cybersecurity analysis.
Signaling from within: how eBPF interacts with signals
This article explores some of the semantics of UNIX signals when generated from an eBPF program.
Streamlining ES|QL Query and Rule Validation: Integrating with GitHub CI
ES|QL is Elastic's new piped query language. Taking full advantage of this new feature, Elastic Security Labs walks through how to run validation of ES|QL rules for the Detection Engine.
Using LLMs and ESRE to find similar user sessions
In our previous article, we explored using the GPT-4 Large Language Model (LLM) to condense Linux user sessions. In the context of the same experiment, we dedicated some time to examine sessions that shared similarities. These similar sessions can subsequently aid the analysts in identifying related suspicious activities.
Inside Microsoft's plan to kill PPLFault
In this research publication, we'll learn about upcoming improvements to the Windows Code Integrity subsystem that will make it harder for malware to tamper with Anti-Malware processes and other important security features.
Peeling back the curtain with call stacks
In this article, we'll show you how we contextualize rules and events, and how you can leverage call stacks to better understand any alerts you encounter in your environment.
Using LLMs to summarize user sessions
In this publication, we will talk about lessons learned and key takeaways from our experiments using GPT-4 to summarize user sessions.
Forget vulnerable drivers - Admin is all you need
Bring Your Own Vulnerable Driver (BYOVD) is an increasingly popular attacker technique whereby a threat actor brings a known-vulnerable signed driver alongside their malware, loads it into the kernel, then exploits it to perform some action within the kernel that they would not otherwise be able to do. Employed by advanced threat actors for over a decade, BYOVD is becoming increasingly common in ransomware and commodity malware.
Upping the Ante: Detecting In-Memory Threats with Kernel Call Stacks
We aim to out-innovate adversaries and maintain protections against the cutting edge of attacker tradecraft. With Elastic Security 8.8, we added new kernel call stack based detections which provide us with improved efficacy against in-memory threats.
Exploring Windows UAC Bypasses: Techniques and Detection Strategies
In this research article, we will take a look at a collection of UAC bypasses, investigate some of the key primitives they depend on, and explore detection opportunities.
Unpacking ICEDID
ICEDID is known to pack its payloads using custom file formats and a custom encryption scheme. We are releasing a set of tools to automate the unpacking process and help analysts and the community respond to ICEDID.
Exploring the Future of Security with ChatGPT
Recently, OpenAI announced APIs for engineers to integrate ChatGPT and Whisper models into their apps and products. For some time, engineers could use the REST API calls for older models and otherwise use the ChatGPT interface through their website.
Elastic Global Threat Report Multipart Series Overview
Each month, the Elastic Security Labs team dissects a different trend or correlation from the Elastic Global Threat Report. This post provides an overview of those individual publications.
Hunting for Suspicious Windows Libraries for Execution and Defense Evasion
Learn more about discovering threats by hunting through DLL load events, one way to reveal the presence of known and unknown malware in noisy process event data.
Hunting for Lateral Movement using Event Query Language
Elastic Event Query Language (EQL) correlation capabilities enable practitioners to capture complex behavior for adversary Lateral Movement techniques. Learn how to detect a variety of such techniques in this blog post.
Identifying beaconing malware using Elastic
In this blog, we walk users through identifying beaconing malware in their environment using our beaconing identification framework.
Ingesting threat data with the Threat Intel Filebeat module
Tutorial that walks through setting up Filebeat to push threat intelligence feeds into your Elastic Stack.
Stopping Vulnerable Driver Attacks
This post includes a primer on kernel mode attacks, along with Elastic’s recommendations for securing users from kernel attacks leveraging vulnerable drivers.
The Elastic Container Project for Security Research
The Elastic Container Project provides a single shell script that will allow you to stand up and manage an entire Elastic Stack using Docker. This open source project enables rapid deployment for testing use cases.
Vulnerability summary: Follina, CVE-2022-30190
Elastic is deploying a new malware signature to identify the use of the Follina vulnerability. Learn more in this post.
Elastic’s 2022 Global Threat Report: A roadmap for navigating today’s growing threatscape
Threat intelligence resources like the 2022 Elastic Global Threat Report are critical to helping teams evaluate their organizational visibility, capabilities, and expertise in identifying and preventing cybersecurity threats.
Forecast and Recommendations: 2022 Elastic Global Threat Report
With the release of our first Global Threat Report at Elastic, customers, partners, and the security community at large are able to identify many of the focus areas our team has had over the past 12 months.
Handy Elastic Tools for the Enthusiastic Detection Engineer
Tools like the EQLPlaygound, RTAs, and detection-rules CLI are great resources for getting started with EQL, threat hunting, and detection engineering respectively.
Getting the Most Out of Transformers in Elastic
In this blog, we will briefly talk about how we fine-tuned a transformer model meant for a masked language modeling (MLM) task, to make it suitable for a classification task.
Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)
Learn how Elastic Endpoint Security and Elastic SIEM can be used to hunt for and detect malicious persistence techniques at scale.
Hunting In Memory
Threat Hunters are charged with the difficult task of sifting through vast sources of diverse data to pinpoint adversarial activity at any stage in the attack.
Nimbuspwn: Leveraging vulnerabilities to exploit Linux via Privilege Escalation
Microsoft 365 Defender team released a post detailing several identified vulnerabilities. These vulnerabilities allow adversarial groups to escalate privileges on Linux systems, allowing for deployment of payloads, ransomware, or other attacks.
Testing your Okta visibility and detection with Dorothy and Elastic Security
Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.
Embracing offensive tooling: Building detections against Koadic using EQL
Find new ways to build behavioral detections against post-exploitation frameworks such as Koadic using Event Query Language (EQL).
Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)
Learn how Elastic Endpoint Security and Elastic SIEM can be used to hunt for and detect malicious persistence techniques at scale.
Practical security engineering: Stateful detection
By formalizing stateful detection in your rules, as well as your engineering process, you increase your detection coverage over future and past matches. In this blog post, learn why stateful detection is an important concept to implement.
Elastic Security opens public detection rules repo
Elastic Security has opened its detection rules repository to the world. We will develop rules in the open alongside the community, and we’re welcoming your community-driven detections. This is an opportunity to share collective security knowledge.